From:

        Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To:

         <debian-changes@lists.debian.org>

Subject:

    Accepted linux 6.1.170-1 (source) into oldstable-proposed-updates

Date:

    Sat, 02 May 2026 18:21:18 +0000

Signed by: Salvatore Bonaccorso carnil@debian.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Thu, 30 Apr 2026 21:12:35 +0200 Source: linux Architecture: source Version: 6.1.170-1 Distribution: bookworm-security Urgency: high Maintainer: Debian Kernel Team debian-kernel@lists.debian.org Changed-By: Salvatore Bonaccorso carnil@debian.org Changes: linux (6.1.170-1) bookworm-security; urgency=high .

• New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.165
  • RDMA/siw: Fix potential NULL pointer dereference in header processing
  • RDMA/umad: Reject negative data_len in ib_umad_write
  • auxdisplay: arm-charlcd: fix release_mem_region() size
  • hfsplus: return error when node already exists in hfs_bnode_create
  • audit: avoid missing-prototype warnings
  • audit: move the compat_xxx_class[] extern declarations to audit_arch.h
  • i3c: Move device name assignment after i3c_bus_init
  • fs: add <linux/init_task.h> for 'init_fs'
  • i3c: master: Update hot-join flag only on success
  • gfs2: Add metapath_dibh helper
  • gfs2: Fix use-after-free in iomap inline data write path
  • tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure
  • tpm: st33zp24: Fix missing cleanup on get_burstcount() error
  • btrfs: qgroup: return correct error when deleting qgroup relation item
  • btrfs: fix block_group_tree dirty_list corruption
  • smb: client: fix potential UAF and double free in smb2_open_file()
  • xen/virtio: Optimize the setup of "xen-grant-dma" devices
  • xen/virtio: Handle PCI devices which Host controller is described in DT
  • xen/virtio: Don't use grant-dma-ops when running as Dom0
  • ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()
  • io_uring/sync: validate passed in offset
  • md/raid10: fix any_working flag handling in raid10_sync_request
  • iomap: fix submission side handling of completion side errors
  • ublk: Validate SQE128 flag before accessing the cmd
  • PM: wakeup: Handle empty list in wakeup_sources_walk_start()
  • PM: sleep: wakeirq: harden dev_pm_clear_wake_irq() against races
  • [s390x] cio: Fix device lifecycle handling in css_alloc_subchannel()
  • [x86] crypto: qat - fix warning on adf_pfvf_pf_proto.c
  • [armhf] VDSO: Patch out __vdso_clock_getres() if unavailable
  • [arm64] crypto: cavium - fix dma_free_coherent() size
  • crypto: hisilicon/zip - support deflate algorithm
  • crypto: hisilicon/zip - remove zlib and gzip
  • crypto: hisilicon/zip - adjust the way to obtain the req in the callback function
  • crypto: hisilicon/sec - fix spelling mistake 'ckeck' -> 'check'
  • crypto: hisilicon/sec2 - fix for sec spec check
  • crypto: hisilicon/sec2 - support skcipher/aead fallback for hardware queue unavailable
  • hrtimer: Fix trace oddity
  • bpf, sockmap: Fix incorrect copied_seq calculation
  • crypto: hisilicon/trng - modifying the order of header files
  • crypto: hisilicon/trng - support tfms sharing the device
  • bpf: Fix bpf_xdp_store_bytes proto for read-only arg
  • scsi: efct: Use IRQF_ONESHOT and default primary handler
  • EDAC/altera: Remove IRQF_ONESHOT
  • mfd: wm8350-core: Use IRQF_ONESHOT
  • sched/rt: Skip currently executing CPU in rto_next_cpu()
  • pstore/ram: fix buffer overflow in persistent_ram_save_old()
  • EDAC/i5000: Fix snprintf() size calculation in calculate_dimm_size()
  • EDAC/i5400: Fix snprintf() limit calculation in calculate_dimm_size()
  • [arm64] dts: tqma8mpql-mba8mpxl: Fix HDMI CEC pad control settings
  • [arm64] clk: qcom: Return correct error code in qcom_cc_probe_by_index()
  • [arm64] dts: qcom: sdm630: fix gpu_speed_bin size
  • [arm64] dts: qcom: sdm845-oneplus: Don't mark ts supply boot-on
  • [arm64] dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on
  • [armhf] dts: allwinner: sun5i-a13-utoo-p66: delete "power-gpios" property
  • [powerpc*] uaccess: Move barrier_nospec() out of allow_read_{from/write}_user()
  • [arm64] soc: qcom: cmd-db: Use devm_memremap() to fix memory leak in cmd_db_dev_probe
  • [powerpc*] eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling
  • [arm64] dts: amlogic: axg: assign the MMC signal clocks
  • [arm64] dts: amlogic: gx: assign the MMC signal clocks
  • [arm64] dts: amlogic: g12: assign the MMC B and C signal clocks
  • [arm64] dts: amlogic: g12: assign the MMC A signal clock
  • [arm64] dts: qcom: sdm845-db845c: drop CS from SPIO0
  • [arm64] dts: qcom: sdm845-db845c: specify power for WiFi CH1
  • [x86] ASoC: nau8821: Consistently clear interrupts before unmasking
  • [x86] ASoC: nau8821: Avoid unnecessary blocking in IRQ handler
  • [x86] ASoC: nau8821: Fixup nau8821_enable_jack_detect()
  • drm/amdgpu: Use explicit VCN instance 0 in SR-IOV init
  • regulator: core: move supply check earlier in set_machine_constraints()
  • HID: playstation: Add missing check for input_ff_create_memless
  • drm/msm/dpu: fix CMD panels on DPU 1.x - 3.x
  • media: ccs: Accommodate C-PHY into the calculation
  • platform/chrome: cros_typec_switch: Don't touch struct fwnode_handle::dev
  • media: uvcvideo: Fix allocation for small frame sizes
  • platform/chrome: cros_ec_lightbar: Fix response size initialization
  • spi: tools: Add include folder to .gitignore
  • Revert "hwmon: (ibmpex) fix use-after-free in high/low store"
  • PCI: mediatek: Fix IRQ domain leak when MSI allocation fails
  • Documentation: PCI: endpoint: Fix ntb/vntb copy & paste errors
  • PCI/PM: Avoid redundant delays on D3hot->D3cold
  • PCI: Do not attempt to set ExtTag for VFs
  • PCI/portdrv: Fix potential resource leak
  • net: mctp-i2c: fix duplicate reception of old data
  • mctp i2c: initialise event handler read bytes
  • wifi: cfg80211: stop NAN and P2P in cfg80211_leave
  • netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH
  • netfilter: nf_conncount: increase the connection clean up limit to 64
  • netfilter: nft_compat: add more restrictions on netlink attributes
  • netfilter: nf_conncount: fix tracking of connections from localhost
  • module: add helper function for reading module_buildid()
  • kallsyms/ftrace: set module buildid in ftrace_mod_address_lookup()
  • PCI: Mark 3ware-9650SA Root Port Extended Tags as broken
  • [amd64] iommu/vt-d: Flush cache for PASID table before using it
  • dm: use bio_clone_blkg_association
  • nfsd: never defer requests during idmap lookup
  • fat: avoid parent link count underflow in rmdir
  • tcp: tcp_tx_timestamp() must look at the rtx queue
  • wifi: ath10k: sdio: add missing lock protection in ath10k_sdio_fw_crashed_dump()
  • PCI: Initialize RCB from pci_configure_device()
  • ipc: don't audit capability check in ipc_permissions()
  • ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()
  • octeontx2-af: Fix PF driver crash with kexec kernel booting
  • bonding: only set speed/duplex to unknown, if getting speed failed
  • timers: Replace in_irq() with in_hardirq()
  • nfc: hci: shdlc: Stop timers and work before freeing context
  • netfilter: nft_set_hash: fix get operation on big endian
  • netfilter: nft_counter: fix reset of counters on 32bit archs
  • netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets
  • PCI: Add ACS quirk for Pericom PI7C9X2G404 switches [12d8:b404]
  • [arm64] net: hns3: fix double free issue for tx spare buffer
  • procfs: fix missing RCU protection when reading real_parent in do_task_stat()
  • smb: client: correct value for smbd_max_fragmented_recv_size
  • net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
  • net: Add skb_dstref_steal and skb_dstref_restore
  • net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers
  • xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path
  • serial: caif: fix use-after-free in caif_serial ldisc_close()
  • ionic: Rate limit unknown xcvr type messages
  • octeontx2-pf: Unregister devlink on probe failure
  • RDMA/rtrs: server: remove dead code
  • IB/cache: update gid cache on client reregister event
  • [arm64] RDMA/hns: Fix WQ_MEM_RECLAIM warning
  • [arm64]RDMA/hns: Notify ULP of remaining soft-WCs during reset
  • power: supply: ab8500: Fix use-after-free in power_supply_changed()
  • power: supply: act8945a: Fix use-after-free in power_supply_changed()
  • power: supply: bq256xx: Fix use-after-free in power_supply_changed()
  • power: supply: bq25980: Fix use-after-free in power_supply_changed()
  • power: supply: cpcap-battery: Fix use-after-free in power_supply_changed()
  • power: supply: goldfish: Fix use-after-free in power_supply_changed()
  • power: supply: rt9455: Fix use-after-free in power_supply_changed()
  • power: supply: sbs-battery: Fix use-after-free in power_supply_changed()
  • power: reset: nvmem-reboot-mode: respect cell size for nvmem_cell_write
  • power: supply: bq27xxx: fix wrong errno when bus ops are unsupported
  • power: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed()
  • RDMA/rtrs-srv: Refactor the handling of failure case in map_cont_bufs
  • RDMA/rtrs-srv: Correct the checking of ib_map_mr_sg
  • RDMA/rtrs-srv: fix SG mapping
  • RDMA/rxe: Fix double free in rxe_srq_from_init
  • mtd: rawnand: cadence: Fix return type of CDMA send-and-wait helper
  • [x86] crypto: ccp - Add an S4 restore flow
  • RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
  • RDMA/core: Fix a couple of obvious typos in comments
  • svcrdma: Remove queue-shortening warnings
  • svcrdma: Clean up comment in svc_rdma_accept()
  • svcrdma: Increase the per-transport rw_ctx count
  • svcrdma: Reduce the number of rdma_rw contexts per-QP
  • RDMA/core: add rdma_rw_max_sge() helper for SQ sizing
  • cxl: Fix premature commit_end increment on decoder commit failure
  • mtd: parsers: ofpart: fix OF node refcount leak in parse_fixed_partitions()
  • RDMA/uverbs: Add __GFP_NOWARN to ib_uverbs_unmarshall_recv() kmalloc
  • pNFS: fix a missing wake up while waiting on NFS_LAYOUT_DRAIN
  • scsi: smartpqi: Replace one-element arrays with flexible-array members
  • scsi: smartpqi: Fix memory leak in pqi_report_phys_luns()
  • scsi: csiostor: Fix dereference of null pointer rn
  • nvdimm: virtio_pmem: serialize flush requests
  • fs/nfs: Fix readdir slow-start regression
  • tracing: Properly process error handling in event_hist_trigger_parse()
  • tracing: Remove duplicate ENABLE_EVENT_STR and DISABLE_EVENT_STR macros
  • [mips*] Work around LLVM bug when gp is used as global register variable
  • ext4: don't cache extent during splitting extent
  • ext4: fix memory leak in ext4_ext_shift_extents()
  • ext4: use optimized mballoc scanning regardless of inode format
  • ata: pata_ftide010: Fix some DMA timings
  • ata: libata-scsi: refactor ata_scsi_translate()
  • SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths
  • SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path
  • fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe()
  • [arm64] clk: qcom: rcg2: compute 2d using duty fraction directly
  • [arm64] clk: meson: gxbb: Limit the HDMI PLL OD to /4 on GXL/GXM SoCs
  • [arm64] clk: qcom: gcc-msm8953: Remove ALWAYS_ON flag from cpp_gdsc
  • clk: Move clk_{save,restore}_context() to COMMON_CLK section
  • [arm64] clk: qcom: dispcc-sdm845: Enable parents for pixel clocks
  • [arm64] clk: qcom: gfx3d: add parent to parent request map
  • clk: mediatek: Fix error handling in runtime PM setup
  • dmaengine: mediatek: uart-apdma: Fix above 4G addressing TX/RX
  • dma: dma-axi-dmac: fix SW cyclic transfers
  • staging: greybus: lights: avoid NULL deref
  • serial: imx: change SERIAL_IMX_CONSOLE to bool
  • serial: SH_SCI: improve "DMA support" prompt
  • mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms
  • coresight: etm3x: Fix cpulocked warning on cpuhp
  • Revert "mmc: rtsx_pci_sdmmc: increase power-on settling delay to 5ms"
  • mfd: arizona: Fix regulator resource leak on wm5102_clear_write_sequencer() failure
  • drivers: iio: mpu3050: use dev_err_probe for regulator request
  • usb: bdc: fix sleep during atomic
  • pinctrl: equilibrium: Fix device node reference leak in pinbank_init()
  • ovl: Fix uninit-value in ovl_fill_real
  • iio: sca3000: Fix a resource leak in sca3000_probe()
  • pinctrl: qcom: sm8250-lpass-lpi: Fix i2s2_data_groups definition
  • pinctrl: single: fix refcount leak in pcs_add_gpio_func()
  • leds: qcom-lpg: Check the return value of regmap_bulk_write()
  • backlight: qcom-wled: Support ovp values for PMI8994
  • io_uring/cancel: abstract out request match helper
  • io_uring/cancel: fix sequence matching for IORING_ASYNC_CANCEL_ANY
  • io_uring/cancel: add IORING_ASYNC_CANCEL_USERDATA
  • io_uring/cancel: support opcode based lookup and cancelation
  • io_uring/cancel: de-unionize file and user_data in struct io_cancel_data
  • ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs
  • ACPI: PM: Add unused power resource quirk for THUNDEROBOT ZERO
  • cpuidle: Skip governor when only one idle state is available
  • net: sparx5/lan969x: fix DWRR cost max to match hardware register width
  • net: mscc: ocelot: extract ocelot_xmit_timestamp() helper
  • net: mscc: ocelot: split xmit into FDMA and register injection paths
  • net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj()
  • net: sparx5/lan969x: fix PTP clock max_adj value
  • net: usb: catc: enable basic endpoint checking
  • xen-netback: reject zero-queue configuration from guest
  • net/rds: rds_sendmsg should not discard payload_len
  • netfilter: nf_conntrack_h323: don't pass uninitialised l3num value
  • net: remove WARN_ON_ONCE when accessing forward path array
  • netfilter: nf_tables: fix use-after-free in nf_tables_addchain() (CVE-2026-23231)
  • ipv6: fix a race in ip6_sock_set_v6only()
  • bpftool: Fix truncated netlink dumps
  • ping: Convert hlist_nulls to plain hlist.
  • inet: ping: check sock_net() in ping_get_port() and ping_lookup()
  • ping: annotate data-races in ping_lookup()
  • macvlan: observe an RCU grace period in macvlan_common_newlink() error path
  • icmp: move icmp_global.credit and icmp_global.stamp to per netns storage
  • icmp: icmp_msgs_per_sec and icmp_msgs_burst sysctls become per netns
  • icmp: prevent possible overflow in icmp_global_allow()
  • octeontx2-af: Fix default entries mcam entry action
  • bonding: alb: fix UAF in rlb_arp_recv during bond up/down
  • apparmor: fix NULL sock in aa_sock_file_perm
  • apparmor: fix rlimit for posix cpu timers
  • apparmor: fix invalid deref of rawdata when export_binary is unset
  • [x86] drm/i915/acpi: free _DSM package when no connectors
  • btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
  • [arm64] ASoC: rockchip: i2s-tdm: Use param rate if not provided by set_sysclk
  • drm/amd/display: Use same max plane scaling limits for all 64 bpp formats
  • perf callchain: Fix srcline printing with inlines
  • libperf: Don't remove -g when EXTRA_CFLAGS are used
  • libperf build: Always place libperf includes first
  • rtc: interface: Alarm race handling should not discard preceding error
  • audit: add fchmodat2() to change attributes class
  • hfsplus: fix volume corruption issue for generic/498
  • fs/buffer: add alert in try_to_free_buffers() for folios without buffers
  • audit: add missing syscalls to read class
  • hfsplus: pretend special inodes as regular files
  • i3c: master: svc: Initialize 'dev' to NULL in svc_i3c_master_ibi_isr()
  • minix: Add required sanity checking to minix_check_superblock()
  • smb: client: add proper locking around ses->iface_last_update
  • gfs2: fiemap page fault fix
  • tools/power cpupower: Reset errno before strtoull()
  • [arm64] perf/arm-cmn: Support CMN-600AE
  • [arm64] Add support for TSV110 Spectre-BHB mitigation
  • rnbd-srv: Zero the rsp buffer before using it
  • [x86] xen/pvh: Enable PAE mode for 32-bit guest only when CONFIG_X86_PAE is set
  • EFI/CPER: don't dump the entire memory region
  • APEI/GHES: ensure that won't go past CPER allocated record
  • EFI/CPER: don't go past the ARM processor CPER record buffer
  • ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()
  • ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP
  • [s390x] perf: Disable register readout on sampling events
  • xenbus: Use .freeze/.thaw to handle xenbus devices
  • blk-mq-debugfs: add missing debugfs_mutex in blk_mq_debugfs_register_hctxs()
  • bpf: verifier improvement in 32bit shift sign extension pattern
  • clocksource/drivers/sh_tmu: Always leave device running after probe
  • clocksource/drivers/timer-integrator-ap: Add missing Kconfig dependency on OF
  • PCI/MSI: Unmap MSI-X region on error
  • char: tpm: cr50: Remove IRQF_ONESHOT
  • pstore: ram_core: fix incorrect success return when vmap() fails
  • [arm64] tegra: smaug: Add usb-role-switch support
  • drm/display/dp_mst: Add protection against 0 vcpi
  • spi-geni-qcom: initialize mode related registers to 0
  • media: dvb-core: dmxdevfilter must always flush bufs
  • [armhf] spi: stm32: fix Overrun issue at < 8bpw
  • [arm64] drm/v3d: Set DMA segment size to avoid debug warnings
  • [armhf] media: omap3isp: isp_video_mbus_to_pix/pix_to_mbus fixes
  • [armhf] media: omap3isp: isppreview: always clamp in preview_try_format()
  • [armhf] media: omap3isp: set initial format
  • HID: apple: Add "SONiX KN85 Keyboard" to the list of non-apple keyboards
  • media: amphion: Clear last_buffer_dequeued flag for DEC_CMD_START
  • media: adv7180: fix frame interval in progressive mode
  • media: pvrusb2: fix URB leak in pvr2_send_request_ex
  • media: solo6x10: Check for out of bounds chip_id
  • media: cx25821: Fix a resource leak in cx25821_dev_setup()
  • drm/amdkfd: Fix GART PTE for non-4K pagesize in svm_migrate_gart_map()
  • drm: Account property blob allocations to memcg
  • hyper-v: Mark inner union in hv_kvp_exchg_msg_value as packed
  • virt: vbox: uapi: Mark inner unions in packed structs as packed
  • media: rkisp1: Fix filter mode register configuration
  • HID: multitouch: add eGalaxTouch EXC3188 support
  • HID: elecom: Add support for ELECOM HUGE Plus M-HT1MRBK
  • gpio: aspeed-sgpio: Change the macro to support deferred probe
  • spi: spi-mem: Protect dirmap_create() with spi_mem_access_start/end
  • [x86] ASoC: codecs: max98390: Check return value of devm_gpiod_get_optional() in max98390_i2c_probe()
  • hwmon: (f71882fg) Add F81968 support
  • [armhf] ASoC: es8328: Add error unwind in resume
  • modpost: Amend ppc64 save/restfpr symnames for -Os build
  • ALSA: usb-audio: Add iface reset and delay quirk for AB13X USB Audio
  • jfs: Add missing set_freezable() for freezable kthread
  • jfs: nlink overflow in jfs_rename
  • wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero
  • wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()
  • dm: remove fake timeout to avoid leak request
  • [arm64] iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency
  • wifi: libertas: fix WARNING in usb_tx_block
  • PCI: dw-rockchip: Disable BAR 0 and BAR 1 for Root Port
  • ipv6: annotate data-races in ip6_multipath_hash_{policy,fields}()
  • ipv6: exthdrs: annotate data-race over multiple sysctl
  • ext4: mark group add fast-commit ineligible
  • ext4: mark group extend fast-commit ineligible
  • netfilter: nf_conntrack: Add allow_clash to generic protocol handler
  • netfilter: xt_tcpmss: check remaining length before reading optlen
  • net: usb: r8152: fix transmit queue timeout
  • net/rds: No shortcut out of RDS_CONN_ERROR
  • gro: change the BUG_ON() in gro_pull_from_frag0()
  • [arm64] net: hns3: extend HCLGE_FD_AD_QID to 11 bits
  • wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power()
  • wifi: iwlegacy: add missing mutex protection in il3945_store_measurement()
  • ipv4: fib: Annotate access to struct fib_alias.fa_state.
  • Bluetooth: hci_conn: use mod_delayed_work for active mode timeout
  • Bluetooth: btusb: Add new VID/PID for RTL8852CE
  • Bluetooth: btusb: Add device ID for Realtek RTL8761BU
  • octeontx2-af: Workaround SQM/PSE stalls by disabling sticky
  • wifi: rtw89: pci: restore LDO setting after device resume
  • wifi: ath10k: fix lock protection in ath10k_wmi_event_peer_sta_ps_state_chg()
  • net: usb: sr9700: remove code to drive nonexistent multicast filter
  • vmw_vsock: bypass false-positive Wnonnull warning with gcc-16
  • net/rds: Clear reconnect pending bit
  • PCI: Mark ASM1164 SATA controller to avoid bus reset
  • PCI/AER: Clear stale errors on reporting agents upon probe
  • PCI: Fix pci_slot_lock () device locking
  • PCI: Enable ACS after configuring IOMMU for OF platforms
  • PCI: Add ACS quirk for Qualcomm Hamoa & Glymur
  • PCI: Mark Nvidia GB10 to avoid bus reset
  • myri10ge: avoid uninitialized variable use
  • nfc: nxp-nci: remove interrupt trigger type
  • RDMA/rtrs-clt: For conn rejection use actual err number
  • hisi_acc_vfio_pci: update status after RAS error
  • scsi: buslogic: Reduce stack usage
  • tracing: Fix false sharing in hwlat get_sample()
  • remoteproc: imx_dsp_rproc: Skip RP_MBOX_SUSPEND_SYSTEM when mailbox TX channel is uninitialized
  • mailbox: pcc: Remove spurious IRQF_ONESHOT usage
  • mailbox: imx: Skip the suspend flag for i.MX7ULP
  • mailbox: sprd: mask interrupts that are not handled
  • remoteproc: mediatek: Break lock dependency to prepare_lock
  • mailbox: sprd: clear delivery flag before handling TX done
  • clk: microchip: core: correct return value on *_get_parent()
  • soundwire: dmi-quirks: add mapping for Avell B.ON (OEM rebranded of NUC15)
  • staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure
  • serial: 8250_dw: handle clock enable errors in runtime_resume
  • usb: typec: ucsi: psy: Fix voltage and current max for non-Fixed PDOs
  • fpga: of-fpga-region: Fail if any bridge is missing
  • dmaengine: sun6i: Choose appropriate burst length under maxburst
  • dmaengine: stm32-mdma: initialize m2m_hw_period and ccr to fix warnings
  • misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()
  • misc: eeprom: Fix EWEN/EWDS/ERAL commands for 93xx56 and 93xx66
  • staging: rtl8723bs: fix memory leak on failure path
  • serial: 8250: 8250_omap.c: Clear DMA RX running status only after DMA termination is done
  • fix it87_wdt early reboot by reporting running timer
  • [arm*] binder: don't use %pK through printk
  • watchdog: imx7ulp_wdt: handle the nowayout option
  • phy: mvebu-cp110-utmi: fix dr_mode property read from dts
  • phy: fsl-imx8mq-usb: disable bind/unbind platform driver feature
  • Revert "mfd: da9052-spi: Change read-mask to write-mask"
  • iio: Use IRQF_NO_THREAD
  • iio: magnetometer: Remove IRQF_ONESHOT
  • ceph: supply snapshot context in ceph_uninline_data()
  • libceph: define and enforce CEPH_MAX_KEY_LEN
  • include: uapi: netfilter_bridge.h: Cover for musl libc
  • drm/amd/display: Avoid updating surface with the same surface under MPO
  • drm/amdgpu: Adjust usleep_range in fence wait
  • ALSA: usb-audio: Update the number of packets properly at receiving
  • drm/amdgpu: Add HAINAN clock adjustment
  • drm/radeon: Add HAINAN clock adjustment
  • ALSA: usb-audio: Add sanity check for OOB writes at silencing
  • btrfs: replace BUG() with error handling in __btrfs_balance()
  • drm/amd/display: Remove conditional for shaper 3DLUT power-on
  • rtc: zynqmp: correct frequency value
  • ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access
  • ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut
  • xfrm6: fix uninitialized saddr in xfrm6_get_saddr()
  • ipmi: ipmb: initialise event handler read bytes
  • net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode
  • net: usb: lan78xx: scan all MDIO addresses on LAN7801
  • net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()
  • net: ethernet: xscale: Check for PTP support properly
  • wifi: cfg80211: wext: fix IGTK key ID off-by-one
  • Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ
  • Bluetooth: hci_qca: Cleanup on all setup failures
  • Bluetooth: L2CAP: Fix response to L2CAP_ECRED_CONN_REQ
  • Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ
  • Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ
  • tipc: fix duplicate publication key in tipc_service_insert_publ()
  • RDMA/core: Fix stale RoCE GIDs during netdev events at registration
  • net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets
  • RDMA/efa: Fix typo in efa_alloc_mr()
  • net: usb: pegasus: enable basic endpoint checking
  • RDMA/umem: Fix double dma_buf_unpin in failure path
  • net: consume xmit errors of GSO frames
  • dpaa2-switch: validate num_ifs to prevent out-of-bounds write
  • netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
  • rpmsg: core: fix race in driver_override_show() and use core helper
  • fpga: dfl: use subsys_initcall to allow built-in drivers to be added
  • dm-verity: correctly handle dm_bufio_client_create() failure
  • media: mtk-mdp: Fix error handling in probe function
  • media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()
  • [armhf] omap2: Fix reference count leaks in omap_control_init()
  • [x86] KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding
  • [arm64] Disable branch profiling for all arm64 code
  • HID: hid-pl: handle probe errors
  • HID: magicmouse: Do not crash on missing msc->input
  • HID: prodikeys: Check presence of pm->input_ep82
  • HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()
  • media: radio-keene: fix memory leak in error path
  • media: cx88: Add missing unmap in snd_cx88_hw_params()
  • media: cx23885: Add missing unmap in snd_cx23885_hw_params()
  • media: cx25821: Add missing unmap in snd_cx25821_hw_params()
  • media: i2c/tw9903: Fix potential memory leak in tw9903_probe()
  • media: i2c/tw9906: Fix potential memory leak in tw9906_probe()
  • media: ccs: Avoid possible division by zero
  • media: i2c: ov5647: Initialize subdev before controls
  • media: i2c: ov5647: Correct pixel array offset
  • media: i2c: ov5647: Correct minimum VBLANK value
  • media: i2c: ov5647: Sensor should report RAW color space
  • media: i2c: ov5647: Fix PIXEL_RATE value for VGA mode
  • media: i2c: ov5647: use our own mutex for the ctrl lock
  • dm-integrity: fix a typo in the code for write/discard race
  • dm: clear cloned request bio pointer when last clone bio completes
  • [arm64] soc: ti: k3-socinfo: Fix regmap leak on probe failure
  • [x86] KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation
  • [armhf] clk: tegra: tegra124-emc: Fix potential memory leak in tegra124_clk_register_emc()
  • [s390x] pci: Handle futile config accesses of disabled devices directly
  • dm-integrity: fix recalculation in bitmap mode
  • dm-unstripe: fix mapping bug when there are multiple targets in a table
  • [arm64] dts: rockchip: Do not enable hdmi_sound node on Pinebook Pro
  • drm: of: drm_of_panel_bridge_remove(): fix device_node leak
  • mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations
  • xfs: mark data structures corrupt on EIO and ENODATA
  • [amd64] iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode
  • mfd: core: Add locking around 'mfd_of_node_list'
  • xfs: delete attr leaf freemap entries when empty
  • xfs: fix freemap adjustments when adding xattrs to leaf blocks
  • xfs: fix remote xattr valuelblk check
  • [x86] KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()
  • PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions
  • md/bitmap: fix GPF in write_page caused by resize race
  • nfsd: fix return error code for nfsd_map_name_to_[ug]id
  • [x86] kexec: add a sanity check on previous kernel's ima kexec buffer
  • usb: gadget: tegra-xudc: Add handling for BLCG_COREPLL_PWRDN
  • bus: fsl-mc: fix an error handling in fsl_mc_device_add()
  • dm mpath: make pg_init_delay_msecs settable
  • [powerpc*] smp: Add check for kcalloc() failure in parse_thread_groups()
  • iio: gyro: itg3200: Fix unchecked return value in read_raw
  • mm/highmem: fix __kmap_to_page() build error
  • rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()
  • ocfs2: fix reflink preserve cleanup issue
  • kexec: derive purgatory entry from symbol
  • Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"
  • PCI/IOV: Fix race between SR-IOV enable/disable and hotplug
  • btrfs: continue trimming remaining devices on failure
  • remoteproc: imx_rproc: Fix invalid loaded resource table detection
  • [arm64] perf/arm-cmn: Reject unsupported hardware configurations
  • scsi: ufs: core: Flush exception handling work when RPM level is zero
  • usb: dwc2: fix resume failure if dr_mode is host
  • mtd: rawnand: pl353: Fix software ECC support
  • tipc: fix RCU dereference race in tipc_aead_users_dec()
  • drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()
  • net: cpsw_new: Fix unnecessary netdev unregistration in cpsw_probe() error path
  • PCI: Fix pci_slot_trylock() error handling
  • staging: rtl8723bs: fix null dereference in find_network
  • ceph: supply snapshot context in ceph_zero_partial_object()
  • net: ethernet: marvell: skge: remove incorrect conflicting PCI ID
  • net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()
  • octeontx2-af: CGX: fix bitmap leaks
  • net: macb: Fix tx/rx malfunction after phy link down and up
  • tracing: Fix to set write permission to per-cpu buffer_size_kb
  • io_uring/filetable: clamp alloc_hint to the configured alloc range
  • net: intel: fix PCI device ID conflict between i40e and ipw2200
  • atm: fore200e: fix use-after-free in tasklets during device removal
  • ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
  • fbcon: check return value of con2fb_acquire_newinfo()
  • fbdev: vt8500lcdfb: fix missing dma_free_coherent()
  • fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
  • fbdev: ffb: fix corrupted video output on Sun FFB1
  • fbcon: Remove struct fbcon_display.inverse
  • [x86] ASoC: amd: yc: Add DMI quirk for ASUS Vivobook Pro 15X M6501RR
  • net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
  • net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()
  • [x86] kexec: Copy ACPI root pointer address from config table
  • [arm64] Force the use of CNTVCT_EL0 in __delay()
  • net: nfc: nci: Fix parameter validation for packet data
  • NTB: ntb_transport: Fix too small buffer for debugfs_name
  • [arm64] Fix sampling the "stable" virtual counter in preemptible section https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.166
  • [x86] Revert "x86/kexec: add a sanity check on previous kernel's ima kexec buffer" https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.167
  • drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
  • drm/vmwgfx: Return the correct value in vmw_translate_ptr functions (CVE-2026-23317)
  • drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
  • irqchip/sifive-plic: Fix frozen interrupt due to affinity setting (CVE-2026-23287)
  • scsi: lpfc: Properly set WC for DPP mapping
  • scsi: pm8001: Fix use-after-free in pm8001_queue_command() (CVE-2026-23306)
  • ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
  • scsi: ufs: core: Always initialize the UIC done completion
  • scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
  • ALSA: usb-audio: Cap the packet size pre-calculations
  • ALSA: usb-audio: Use inclusive terms
  • perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
  • btrfs: move btrfs_crc32c_final into free-space-cache.c
  • btrfs: fix incorrect key offset in error message in check_dev_extent_item()
  • btrfs: fix compat mask in error messages in btrfs_check_features()
  • bpf: Fix stack-out-of-bounds write in devmap (CVE-2026-23359)
  • PCI: Introduce pci_dev_for_each_resource()
  • PCI: Fix printk field formatting
  • PCI: Update BAR # and window messages
  • PCI: Use resource names in PCI log messages
  • resource: Add resource set range and size helpers
  • PCI: Use resource_set_range() that correctly sets ->end
  • [x86] KVM: x86/pmu: Provide "error" semantics for unsupported-but-known PMU MSRs
  • [x86] KVM: x86: Fix KVM_GET_MSRS stack info leak
  • [x86] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED
  • [x86] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR
  • [x86] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject
  • [x86] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
  • [arm64,armhf] drm/tegra: dsi: fix device leak on probe
  • [armhf] bus: omap-ocp2scp: Convert to platform remove callback returning void
  • [armhf] bus: omap-ocp2scp: fix OF populate on driver rebind
  • ext4: make ext4_es_remove_extent() return void
  • ext4: get rid of ppath in ext4_find_extent()
  • ext4: get rid of ppath in ext4_ext_create_new_leaf()
  • ext4: get rid of ppath in ext4_ext_insert_extent()
  • ext4: get rid of ppath in ext4_split_extent_at()
  • ext4: subdivide EXT4_EXT_DATA_VALID1
  • ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
  • ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
  • ext4: drop extent cache when splitting extent fails
  • [armhf] mfd: omap-usb-host: Convert to platform remove callback returning void
  • [armhf] mfd: omap-usb-host: Fix OF populate on driver rebind
  • [arm64] dts: rockchip: Fix rk356x PCIe range mappings
  • [armhf] clk: tegra: tegra124-emc: fix device leak on set_rate()
  • usb: cdns3: remove redundant if branch
  • usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
  • usb: cdns3: fix role switching during resume
  • ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
  • hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race
  • ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
  • net: arcnet: com20020-pci: fix support for 2.5Mbit cards
  • drm/amd: Drop special case for yellow carp without discovery
  • drm/amdgpu: keep vga memory on MacBooks with switchable graphics
  • eventpoll: Fix integer overflow in ep_loop_check_proc()
  • media: dvb-core: fix wrong reinitialization of ringbuffer on reopen (CVE-2026-23253)
  • nfc: pn533: properly drop the usb interface reference on disconnect (CVE-2026-23291)
  • net: usb: kaweth: validate USB endpoints (CVE-2026-23312)
  • net: usb: kalmia: validate USB endpoints (CVE-2026-23365)
  • net: usb: pegasus: validate USB endpoints (CVE-2026-23290)
  • can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
  • can: ucan: Fix infinite loop from zero-length messages (CVE-2026-23298)
  • can: usb: etas_es58x: correctly anchor the urb in the read bulk callback (CVE-2026-23324)
  • HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them (CVE-2026-23382)
  • [x86] efi: defer freeing of boot services memory (CVE-2026-23352)
  • [x86] platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data (CVE-2026-23370)
  • [x86] platform/x86: dell-wmi: Add audio/mic mute key codes
  • ALSA: usb-audio: Use correct version for UAC3 header validation (CVE-2026-23318)
  • wifi: radiotap: reject radiotap with unknown bits (CVE-2026-23367)
  • wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() (CVE-2026-23279)
  • IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
  • RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() (CVE-2026-23335)
  • net/sched: ets: fix divide by zero in the offload path (CVE-2026-23379)
  • scsi: target: Fix recursive locking in __configfs_open_file() (CVE-2026-23292)
  • Squashfs: check metadata block offset is within range (CVE-2026-23388)
  • drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() (CVE-2026-23356)
  • smb: client: fix broken multichannel with krb5+signing
  • smb: client: Don't log plaintext credentials in cifs_set_cifscreds (CVE-2026-23303)
  • scsi: core: Fix refcount leak for tagset_refcnt (CVE-2026-23296)
  • [x86] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
  • net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table
  • net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy()
  • net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call
  • net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac()
  • net: dpaa2-switch: serialize changes to priv->mac with a mutex
  • dpaa2-switch: do not clear any interrupts automatically
  • dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
  • atm: lec: fix null-ptr-deref in lec_arp_clear_vccs (CVE-2026-23286)
  • can: bcm: fix locking for bcm_op runtime updates (CVE-2026-23362)
  • can: mcp251x: fix deadlock in error path of mcp251x_open (CVE-2026-23357)
  • wifi: cw1200: Fix locking in error paths
  • wifi: wlcore: Fix a locking bug
  • wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() (CVE-2026-23315)
  • indirect_call_wrapper: do not reevaluate function pointer
  • xen/acpi-processor: fix _CST detection using undersized evaluation buffer
  • bpf: export bpf_link_inc_not_zero.
  • bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim (CVE-2026-23319)
  • ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() (CVE-2026-23304)
  • [amd64,arm64] amd-xgbe: fix sleep while atomic on suspend/resume
  • net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
  • net: nfc: nci: Fix zero-length proprietary notifications
  • nfc: nci: free skb on nci_transceive early error paths (CVE-2026-23339)
  • nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
  • nfc: rawsock: cancel tx_work before socket teardown (CVE-2026-23372)
  • net: stmmac: Fix error handling in VLAN add and delete paths
  • net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() (CVE-2026-23284)
  • net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled (CVE-2026-23381)
  • net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled (CVE-2026-23293)
  • net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop (CVE-2026-23300)
  • net/sched: act_ife: Fix metalist update behavior (CVE-2026-23378)
  • xdp: use modulo operation to calculate XDP frag tailroom
  • xdp: produce a warning when calculated tailroom is negative (CVE-2026-23343)
  • tracing: Add NULL pointer check to trigger_data_free() (CVE-2026-23309)
  • net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (CVE-2026-23270)
  • net: tcp: accept old ack during closing
  • scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
  • ACPI: PM: Save NVS memory on Lenovo G70-35
  • scsi: mpi3mr: Add NULL checks when resetting request and reply queues
  • unshare: fix unshare_fs() handling
  • wifi: mac80211: set default WMM parameters on all links
  • ACPI: OSI: Add DMI quirk for Acer Aspire One D255
  • scsi: ses: Fix devices attaching to different hosts
  • [x86] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
  • ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
  • ALSA: usb-audio: Check max frame size for implicit feedback mode, too
  • [powerpc*] uaccess: Fix inline assembly for clang build on PPC32
  • remoteproc: sysmon: Correct subsys_name_len type in QMI request
  • remoteproc: mediatek: Unprepare SCP clock during system suspend
  • [powerpc*] 83xx: km83xx: Fix keymile vendor prefix
  • xprtrdma: Decrement re_receiving on the early exit paths
  • bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
  • net/mlx5: IFC updates for disabled host PF
  • net/mlx5: Query to see if host PF is disabled
  • net/mlx5: Fix deadlock between devlink lock and esw->wq
  • net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
  • net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit (CVE-2026-23277)
  • ASoC: soc-core: drop delayed_work_pending() check before flush
  • ASoC: core: Exit all links before removing their components
  • ASoC: core: Do not call link_exit() on uninitialized rtd objects
  • ASoC: soc-core: flush delayed work before removing DAIs and widgets
  • serial: caif: hold tty->link reference in ldisc_open and ser_release
  • mctp: i2c: fix skb memory leak in receive path
  • can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
  • mctp: route: hold key->lock in mctp_flow_prepare_output()
  • netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
  • netfilter: x_tables: guard option walkers against 1-byte tail reads
  • netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
  • netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
  • netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels (CVE-2026-23274)
  • regulator: pca9450: Make IRQ optional
  • regulator: pca9450: Correct interrupt type
  • sched: idle: Make skipping governor callbacks more consistent
  • nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
  • nvme-pci: Fix race bug in nvme_poll_irqdisable()
  • i40e: fix src IP mask checks and memcpy argument names in cloud filter
  • e1000/e1000e: Fix leak in DMA error cleanup
  • ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
  • ASoC: detect empty DMI strings
  • net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
  • usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
  • [arm64] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on"
  • cgroup: fix race between task migration and iteration
  • ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
  • net: usb: lan78xx: fix silent drop of packets with checksum errors
  • net: usb: lan78xx: fix TX byte statistics for small packets
  • net: usb: lan78xx: skip LTM configuration for LAN7850
  • [x86] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
  • [x86] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
  • USB: add QUIRK_NO_BOS for video capture several devices
  • usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
  • USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
  • usb: xhci: Fix memory leak in xhci_disable_slot()
  • usb: yurex: fix race in probe
  • usb: misc: uss720: properly clean up reference in uss720_probe()
  • usb: core: don't power off roothub PHYs if phy_set_mode() fails
  • usb: cdc-acm: Restore CAP_BRK functionnality to CH343
  • USB: usbcore: Introduce usb_bulk_msg_killable()
  • USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
  • USB: core: Limit the length of unkillable synchronous timeouts
  • usb: class: cdc-wdm: fix reordering issue in read code path
  • usb: renesas_usbhs: fix use-after-free in ISR during device removal
  • usb: mdc800: handle signal and read racing
  • usb: image: mdc800: kill download URB on timeout
  • mm/tracing: rss_stat: ensure curr is false from kthread context
  • mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
  • mmc: core: Avoid bitfield RMW for claim/retune flags
  • tipc: fix divide-by-zero in tipc_sk_filter_connect()
  • libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
  • libceph: reject preamble if control segment is empty
  • libceph: prevent potential out-of-bounds reads in process_message_header()
  • libceph: Use u32 for non-negative values in ceph_monmap_decode()
  • libceph: admit message frames only in CEPH_CON_S_OPEN state
  • ceph: fix i_nlink underrun during async unlink
  • time: add kernel-doc in time.c
  • time/jiffies: Mark jiffies_64_to_clock_t() notrace
  • [arm64] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
  • device property: Allow secondary lookup in fwnode_get_next_child_node()
  • irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
  • ixgbevf: fix link setup issue
  • staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
  • staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
  • media: dvb-net: fix OOB access in ULE extension header tables
  • [amd64,arm64] net: mana: Ring doorbell at 4 CQ wraparounds
  • ice: fix retry for AQ command 0x06EE
  • batman-adv: Avoid double-rtnl_lock ELP metric worker
  • nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
  • hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
  • smb: server: fix use-after-free in smb2_open()
  • net: ncsi: fix skb leak in error paths
  • net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
  • drm/amdgpu: Fix use-after-free race in VM acquire
  • drm/amd: Set num IP blocks to 0 if discovery fails
  • drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
  • tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
  • xfs: fix undersized l_iclog_roundoff values
  • [s390x] dasd: Move quiesce state with pprc swap
  • [s390x] dasd: Copy detected format information to secondary device
  • lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
  • scsi: core: Fix error handling for scsi_alloc_sdev()
  • [x86] apic: Disable x2apic on resume if the kernel expects so
  • lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
  • lib/bootconfig: check bounds before writing in __xbc_open_brace()
  • smb: client: fix atomic open with O_DIRECT & O_SYNC
  • smb: client: fix iface port assignment in parse_server_interfaces
  • btrfs: fix transaction abort on file creation due to name hash collision
  • btrfs: abort transaction on failure to update root in the received subvol ioctl
  • iio: dac: ds4424: reject -128 RAW value
  • iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
  • iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
  • iio: potentiometer: mcp4131: fix double application of wiper shift
  • iio: chemical: bme680: Fix measurement wait duration calculation
  • iio: gyro: mpu3050-core: fix pm_runtime error handling
  • iio: gyro: mpu3050-i2c: fix pm_runtime error handling
  • iio: imu: inv_icm42600: fix odr switch to the same value
  • i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
  • i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
  • i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
  • drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
  • ipv6: use RCU in ip6_xmit() (CVE-2025-40135)
  • bpf: Forget ranges when refining tnum after JSET (CVE-2025-39748)
  • l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
  • io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop (CVE-2026-23113)
  • io_uring/kbuf: check if target buffer list is still legacy on recycle
  • sunrpc: fix cache_request leak in cache_release
  • nvdimm/bus: Fix potential use after free in asynchronous initialization
  • NFC: nxp-nci: allow GPIOs to sleep
  • net: macb: fix use-after-free access to PTP clock
  • Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
  • Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
  • smb: client: fix krb5 mount with username option
  • ksmbd: unset conn->binding on failed binding request
  • mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
  • mmc: sdhci: fix timing selection for 1-bit bus width
  • spi: fix use-after-free on controller registration failure
  • spi: fix statistics allocation
  • mtd: rawnand: pl353: make sure optimal timings are applied
  • mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init()
  • mtd: Avoid boot crash in RedBoot partition table parser
  • [amd64] iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
  • serial: 8250_pci: add support for the AX99100
  • serial: 8250: Fix TX deadlock when using DMA
  • serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY
  • serial: uartlite: fix PM runtime usage count underflow on probe
  • drm/amdgpu/mmhub2.0: add bounds checking for cid
  • drm/amdgpu/mmhub2.3: add bounds checking for cid
  • drm/amdgpu/mmhub3.0.1: add bounds checking for cid
  • drm/amdgpu/mmhub3.0.2: add bounds checking for cid
  • drm/amdgpu/mmhub3.0: add bounds checking for cid
  • drm/radeon: apply state adjust rules to some additional HAINAN vairants
  • drm/amdgpu: apply state adjust rules to some additional HAINAN vairants
  • mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
  • mm/hugetlb: fix hugetlb_pmd_shared() (CVE-2026-23100)
  • mm/hugetlb: fix two comments related to huge_pmd_unshare()
  • mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather
  • ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
  • ext4: fix dirtyclusters double decrement on fs shutdown
  • ext4: always allocate blocks only from groups inode can use
  • wifi: libertas: fix use-after-free in lbs_free_adapter() (CVE-2026-23281)
  • wifi: cfg80211: move scan done work to wiphy work
  • wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() (CVE-2026-23336)
  • [x86] sev: Allow IBPB-on-Entry feature for SNP guests
  • net: phy: register phy led_triggers during probe to avoid AB-BA deadlock (CVE-2026-23368)
  • drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
  • mptcp: pm: avoid sending RM_ADDR over same subflow
  • mptcp: pm: in-kernel: always mark signal+subflow endp as used
  • net/sched: act_gate: snapshot parameters with RCU on replace (CVE-2026-23245)
  • ALSA: pcm: fix wait_time calculations
  • ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
  • can: gs_usb: gs_can_open(): always configure bitrates before starting device
  • [x86] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
  • usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
  • usb: roles: get usb role switch from parent only for usb-b-connector
  • mm/kfence: fix KASAN hardware tag faults during late enablement
  • mm/kfence: disable KFENCE upon KASAN HW tags enablement
  • iomap: reject delalloc mappings during writeback
  • tracing: Fix syscall events activation by ensuring refcount hits zero
  • pmdomain: bcm: bcm2835-power: Fix broken reset status read
  • [arm64] reorganise PAGE_/PROT_ macros
  • [arm64] mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
  • ksmbd: Don't log keys in SMB3 signing and encryption key generation
  • [arm64] drm/msm: Fix dma_free_attrs() buffer size
  • net: macb: Shuffle the tx ring before enabling tx
  • [s390x] zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
  • xfs: fix integer overflow in bmap intent sort comparator
  • xfs: ensure dquot item is deleted from AIL only after log shutdown
  • cifs: open files should not hold ref on superblock
  • kprobes: Remove unneeded goto
  • kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
  • iio: buffer: fix coding style warnings
  • iio: buffer: Fix wait_queue not being removed
  • btrfs: fix transaction abort when snapshotting received subvolumes
  • btrfs: fix transaction abort on set received ioctl due to item overflow
  • iio: light: bh1780: fix PM runtime leak on error path
  • batman-adv: avoid OGM aggregation when skb tailroom is insufficient
  • nfsd: define exports_proc_ops with CONFIG_PROC_FS
  • NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
  • nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
  • net: macb: queue tie-off or disable during WOL suspend
  • net: macb: Introduce gem_init_rx_ring()
  • net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume
  • pmdomain: bcm: bcm2835-power: Increase ASB control timeout
  • ice: remove unused buffer copy code in ice_sq_send_cmd_retry()
  • ice: sleep, don't busy-wait, in the SQ send retry loop
  • ice: reintroduce retry mechanism for indirect AQ
  • iio: imu: inv_icm42600: fix odr switch when turning buffer off
  • ALSA: usb-audio: Kill timer properly at removal (CVE-2025-38105)
  • drm/amdgpu: unmap and remove csa_va properly (CVE-2023-53545)
  • net: dsa: improve shutdown sequence (CVE-2024-49998)
  • net: fec: handle page_pool_dev_alloc_pages error (CVE-2025-21676)
  • gfs2: No more self recovery (CVE-2025-38659)
  • smb: client: Compare MACs in constant time
  • ksmbd: Compare MACs in constant time (CVE-2026-23364)
  • net/tcp-md5: Fix MAC comparison to be constant-time
  • mtd: spinand: macronix: use scratch buffer for DMA operation
  • net: enetc: reimplement RFS/RSS memory clearing as PCI quirk
  • net: enetc: allocate vf_state during PF probes (CVE-2024-50298)
  • dm-verity: disable recursive forward error correction (CVE-2025-71161)
  • net: add skb_header_pointer_careful() helper
  • net/sched: cls_u32: use skb_header_pointer_careful() (CVE-2026-23204)
  • scsi: ufs: core: Fix handling of lrbp->cmd (CVE-2023-53510)
  • net: Handle napi_schedule() calls from non-interrupt
  • gve: defer interrupt enabling until NAPI registration
  • drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
  • drm/exynos: vidi: fix to avoid directly dereferencing user pointer
  • drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free (CVE-2026-23227)
  • [x86] uprobes: Fix XOL allocation failure for 32-bit tasks
  • btrfs: send: check for inline extents in range_is_hole_in_parent() (CVE-2026-23141)
  • btrfs: do not strictly require dirty metadata threshold for metadata writepages (CVE-2026-23157)
  • eth: bnxt: always recalculate features after XDP clearing, fix null-deref (CVE-2025-21682)
  • spi: cadence-quadspi: Implement refcount to handle unbind during busy (CVE-2025-40005)
  • drm/amdgpu: drop redundant sched job cleanup when cs is aborted (CVE-2023-53228)
  • net: stmmac: remove support for lpi_intr_o
  • PCI/ACPI: Restrict program_hpx_type2() to AER bits
  • binfmt_misc: restore write access before closing files opened by open_exec() (CVE-2025-68239)
  • btrfs: tree-checker: fix misleading root drop_level error message
  • wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
  • wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
  • [arm64] firmware: arm_scpi: Fix device_node reference leak in probe path
  • Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
  • Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
  • Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
  • Bluetooth: hci_sync: Fix hci_le_create_conn_sync
  • Bluetooth: HIDP: Fix possible UAF
  • Bluetooth: qca: fix ROM version reading on WCN3998 chips
  • net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
  • netfilter: ctnetlink: remove refcounting in expectation dumpers (CVE-2025-39764)
  • netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
  • netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
  • netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
  • netfilter: nft_ct: add seqadj extension for natted connections (CVE-2025-68206)
  • netfilter: nft_ct: drop pending enqueued packets on removal
  • netfilter: xt_CT: drop pending enqueued packets on template removal (CVE-2026-23391)
  • netfilter: xt_time: use unsigned int for monthday bit shift
  • netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
  • net: bcmgenet: increase WoL poll timeout
  • [amd64,arm64] net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
  • sched: idle: Consolidate the handling of two special cases
  • PM: runtime: Fix a race condition related to device removal
  • net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
  • net/sched: teql: Fix double-free in teql_master_xmit
  • net: usb: aqc111: Do not perform PM inside suspend callback
  • igc: fix missing update of skb->tail in igc_xmit_frame()
  • iavf: fix VLAN filter lost on add/delete race
  • wifi: mac80211: fix NULL deref in mesh_matches_local() (CVE-2026-23396)
  • wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
  • ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
  • net: macb: fix uninitialized rx_fs_lock
  • udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
  • net: bonding: fix NULL deref in bond_debug_rlb_hash_show
  • netfilter: nf_tables: release flowtable after rcu grace period on error (CVE-2026-23392)
  • nfnetlink_osf: validate individual option lengths in fingerprints (CVE-2026-23397)
  • [arm64,armhf] net: mvpp2: guard flow control update with global_tx_fc in buffer switching
  • [armhf] net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
  • icmp: fix NULL pointer dereference in icmp_tag_validation() (CVE-2026-23398)
  • hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
  • Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ (CVE-2026-23395)
  • drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug
  • Bluetooth: hci_core: Fix use-after-free in vhci_flush() (CVE-2025-38250)
  • mailbox: Prevent out-of-bounds access in of_mbox_index_xlate()
  • sched/fair: Fix pelt clock sync when entering idle
  • USB: serial: f81232: fix incomplete serial port generation
  • i2c: fsi: Fix a potential leak in fsi_i2c_probe()
  • mtd: rawnand: serialize lock/unlock against other NAND operations
  • mtd: rawnand: brcmnand: skip DMA during panic write
  • ksmbd: fix use-after-free of share_conf in compound request
  • [x86] drm/i915/gt: Check set_default_submission() before deferencing
  • lib/bootconfig: check xbc_init_node() return in override path
  • tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
  • netfilter: nf_tables: de-constify set commit ops function argument
  • netfilter: nft_set_pipapo: split gc into unlink and reclaim phase (CVE-2026-23351)
  • dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() (CVE-2025-71221)
  • [s390x] xor: Fix xor_xc_2() inline assembly constraints
  • net: clear the dst when changing skb protocol (CVE-2025-38192)
  • drm/amdgpu: use proper DC check in amdgpu_display_supported_domains()
  • drm/amdgpu: clarify DC checks
  • drm/amd/display: Add pixel_clock to amd_pp_display_configuration
  • drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)
  • net: add support for segmenting TCP fraglist GSO packets
  • net: gso: fix tcp fraglist segmentation after pull from frag_list
  • net: fix segmentation of forwarding fraglist GRO (CVE-2026-23154)
  • rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access (CVE-2025-38704)
  • ntfs: set dummy blocksize to read boot_block when mounting (CVE-2025-71067)
  • nvme: fix admin request_queue lifetime
  • f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode
  • net: stmmac: fix TSO DMA API usage causing oops (CVE-2024-56719)
  • mptcp: pm: in-kernel: always set ID as avail when rm endp
  • dlm: fix possible lkb_resource null dereference (CVE-2024-47809)
  • netfilter: nf_tables: missing objects with no memcg accounting
  • netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (CVE-2025-38162)
  • wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work (CVE-2025-39863)
  • i2c: cp2615: replace deprecated strncpy with strscpy
  • i2c: cp2615: fix serial string NULL-deref at probe
  • Revert "nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()"
  • nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() (CVE-2025-40261)
  • Revert "selftests: net: amt: wait longer for connection before sending packets"
  • xen/privcmd: restrict usage in unprivileged domU (CVE-2026-31788)
  • xen/privcmd: add boot control for restricted usage in domU https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.168
  • bpf: Release module BTF IDR before module unload
  • HID: asus: avoid memory leak in asus_report_fixup()
  • [x86] platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
  • nvme-pci: cap queue creation to used queues
  • nvme-fabrics: use kfree_sensitive() for DHCHAP secrets
  • [x86] platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1
  • [x86] platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10
  • nvme-pci: ensure we're polling a polled queue
  • HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
  • HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
  • net: usb: r8152: add TRENDnet TUC-ET2G
  • HID: mcp2221: cancel last I2C command on read error
  • module: Fix kernel panic when a symbol st_shndx is out of bounds
  • dma-buf: Include ioctl.h in UAPI header
  • HID: apple: avoid memory leak in apple_report_fixup()
  • btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
  • ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk
  • ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
  • usb: core: new quirk to handle devices with zero configurations
  • xfrm: call xdo_dev_state_delete during state update
  • xfrm: Fix the usage of skb->sk
  • esp: fix skb leak with espintcp and async crypto
  • af_key: validate families in pfkey_send_migrate()
  • dma: swiotlb: add KMSAN annotations to swiotlb_bounce()
  • can: statistics: add missing atomic access in hot path
  • Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
  • Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
  • Bluetooth: hci_ll: Fix firmware leak on error path
  • Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
  • ionic: fix persistent MAC address override on PF
  • nfc: nci: fix circular locking dependency in nci_close_device
  • net: openvswitch: Avoid releasing netdev before teardown completes
  • rtnetlink: pass netlink message header and portid to rtnl_configure_link()
  • net: add new helper unregister_netdevice_many_notify
  • rtnetlink: Honour NLM_F_ECHO flag in rtnl_delete_link
  • openvswitch: defer tunnel netdev_put to RCU release
  • openvswitch: validate MPLS set/set_masked payload length
  • net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
  • rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
  • [armhf] platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
  • ice: use ice_update_eth_stats() for representor stats
  • net: fix fanout UAF in packet_release() via NETDEV_UP race
  • tcp: Use bhash2 for v4-mapped-v6 non-wildcard address.
  • tcp: Rearrange tests in inet_csk_bind_conflict().
  • tcp: optimize inet_use_bhash2_on_bind()
  • udp: Fix wildcard bind conflict check when using hash2
  • [arm64] net: enetc: fix the output issue of 'ethtool --show-ring'
  • dma-mapping: add missing inline for dma_free_attrs
  • Bluetooth: L2CAP: Fix send LE flow credits in ACL link
  • Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
  • Bluetooth: btusb: clamp SCO altsetting table indices
  • tls: Purge async_hold in tls_decrypt_async_wait() (CVE-2026-23414)
  • netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
  • netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
  • netfilter: nf_conntrack_expect: skip expectations in other netns via proc
  • netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
  • netlink: allow be16 and be32 types in all uint policy checks
  • netfilter: ctnetlink: use netlink policy range checks
  • net: macb: use the current queue number for stats
  • regmap: Synchronize cache for the page selector
  • RDMA/rw: Fall back to direct SGE on MR pool exhaustion
  • RDMA/irdma: Initialize free_qp completion before using it
  • RDMA/irdma: Update ibqp state to error if QP is already in error state
  • RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
  • RDMA/irdma: Clean up unnecessary dereference of event->cm_node
  • RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
  • RDMA/irdma: Fix deadlock during netdev reset with active connections
  • RDMA/irdma: Return EINVAL for invalid arp index error
  • scsi: scsi_transport_sas: Fix the maximum channel scanning issue
  • [x86] efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
  • [x86] drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
  • [x86] ASoC: Intel: catpt: Fix the device initialization
  • ACPICA: include/acpi/acpixf.h: Fix indentation
  • ACPICA: Allow address_space_handler Install and _REG execution as 2 separate steps
  • ACPI: EC: Fix EC address space handler unregistration
  • ACPI: EC: Fix ECDT probe ordering issues
  • ACPI: EC: Install address space handler at the namespace root
  • ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
  • drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
  • hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
  • sysctl: fix uninitialized variable in proc_do_large_bitmap
  • spi: spi-fsl-lpspi: fix teardown order issue (UAF)
  • [s390x] syscalls: Add spectre boundary for syscall dispatch table
  • [s390x] barrier: Make array_index_mask_nospec() __always_inline
  • ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
  • ksmbd: do not expire session on binding failure
  • can: gw: fix OOB heap access in cgw_csum_crc8_rel()
  • cpufreq: conservative: Reset requested_freq on limits change
  • [arm64] KVM: arm64: Discard PC update state on vcpu reset
  • hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature
  • hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
  • media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
  • virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
  • erofs: add GFP_NOIO in the bio completion if needed
  • alarmtimer: Fix argument order in alarm_timer_forward()
  • scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
  • scsi: ses: Handle positive SCSI error from ses_recv_diag()
  • net: macb: Use dev_consume_skb_any() to free TX SKBs
  • jbd2: gracefully abort on checkpointing state corruptions
  • xfs: stop reclaim before pushing AIL during unmount
  • xfs: fix ri_total validation in xlog_recover_attri_commit_pass2
  • ext4: fix journal credit check when setting fscrypt context
  • ext4: convert inline data to extents when truncate exceeds inline size
  • ext4: make recently_deleted() properly work with lazy itable initialization
  • ext4: avoid infinite loops caused by residual data
  • ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
  • ext4: reject mount if bigalloc with s_first_data_block != 0
  • ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
  • ext4: always drain queued discard work in ext4_mb_release()
  • [arm64] dts: imx8mn-tqma8mqnl: fix LDO5 power off
  • [powerpc*] powerpc64/bpf: do not increment tailcall count when prog is NULL
  • [amd64] dmaengine: idxd: Fix not releasing workqueue on .release()
  • [amd64] dmaengine: idxd: Fix memory leak when a wq is reset
  • btrfs: fix super block offset in error message in btrfs_validate_super()
  • btrfs: fix leak of kobject name for sub-group space_info
  • btrfs: fix lost error when running device stats on multiple devices fs
  • [amd64] dmaengine: idxd: Remove usage of the deprecated ida_simple_xx() API
  • [amd64] dmaengine: idxd: Fix freeing the allocated ida too late
  • futex: Clear stale exiting pointer in futex_lock_pi() retry path
  • tcp: Fix bind() regression for v6-only wildcard and v4-mapped-v6 non-wildcard addresses.
  • HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
  • atm: lec: fix use-after-free in sock_def_readable()
  • btrfs: don't take device_list_mutex when querying zone info
  • tg3: replace placeholder MAC address with device property
  • HID: multitouch: Check to ensure report responses match the request
  • [amd64,armhf] i2c: tegra: Don't mark devices with pins as IRQ safe
  • btrfs: reject root items with drop_progress and zero drop_level
  • dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common property warning
  • crypto: af-alg - fix NULL pointer dereference in scatterwalk
  • net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
  • net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak
  • net/ipv6: ioam6: prevent schema length wraparound in trace fill
  • tg3: Fix race for querying speed/duplex
  • ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
  • ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
  • bridge: br_nd_send: linearize skb before parsing ND options
  • net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
  • ipv6: prevent possible UaF in addrconf_permanent_addr()
  • net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak
  • NFC: pn533: bound the UART receive buffer
  • bpf: Fix regsafe() for pointers to packet
  • net: ipv6: flowlabel: defer exclusive option free until RCU teardown
  • netfilter: flowtable: strictly check for maximum number of actions
  • netfilter: nfnetlink_log: account for netlink header size
  • netfilter: x_tables: ensure names are nul-terminated
  • netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr
  • netfilter: nf_conntrack_helper: pass helper to expect cleanup
  • netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
  • netfilter: Reorder fields in 'struct nf_conntrack_expect'
  • netfilter: nf_conntrack_expect: honor expectation helper field
  • netfilter: nf_conntrack_expect: use expect->helper
  • netfilter: nf_conntrack_expect: store netns and zone in expectation
  • netfilter: ctnetlink: ignore explicit helper on new expectations
  • netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
  • netfilter: nf_tables: reject immediate NF_QUEUE verdict
  • Bluetooth: SCO: fix race conditions in sco_sock_connect()
  • Bluetooth: MGMT: validate LTK enc_size on load
  • Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
  • Bluetooth: MGMT: validate mesh send advertising payload length
  • rds: ib: reject FRMR registration before IB connection is established
  • net: macb: fix clk handling on PCI glue driver removal
  • net: macb: properly unregister fixed rate clocks
  • net/mlx5: lag: Check for LAG device before creating debugfs
  • net/mlx5: Avoid "No data available" when FW version queries fail
  • net/x25: Fix potential double free of skb
  • net/x25: Fix overflow when accumulating packets
  • net/sched: cls_fw: fix NULL pointer dereference on shared blocks
  • net/sched: cls_flow: fix NULL pointer dereference on shared blocks
  • net: hsr: fix VLAN add unwind on slave errors
  • ipv6: avoid overflows in ip6_datagram_send_ctl()
  • bpf: reject direct access to nullable PTR_TO_BUF pointers
  • iio: imu: bno055: fix BNO055_SCAN_CH_COUNT off by one
  • hwmon: (pxe1610) Check return value of page-select write in probe
  • dt-bindings: gpio: fix microchip #interrupt-cells
  • hwmon: (tps53679) Fix device ID comparison and printing in tps53676_identify()
  • [armhf] hwmon: (occ) Fix missing newline in occ_show_extended()
  • drm/ioc32: stop speculation on the drm_compat_ioctl path
  • wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
  • wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
  • USB: serial: option: add MeiG Smart SRM825WN
  • ALSA: caiaq: fix stack out-of-bounds read in init_card
  • ALSA: ctxfi: Fix missing SPDIFI1 index handling
  • Bluetooth: SMP: derive legacy responder STK authentication from MITM state
  • Bluetooth: SMP: force responder MITM requirements before building the pairing response
  • [armhf] hwmon: (occ) Fix division by zero in occ_show_power_1()
  • iio: adc: ti-adc161s626: fix buffer read on big-endian
  • drm/ast: dp501: Fix initialization of SCU2C
  • USB: serial: io_edgeport: add support for Blackbox IC135A
  • USB: serial: option: add support for Rolling Wireless RW135R-GL
  • USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
  • iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
  • Input: synaptics-rmi4 - fix a locking bug in an error path
  • Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk table
  • Input: xpad - add support for Razer Wolverine V3 Pro
  • iio: accel: fix ADXL355 temperature signature value
  • iio: dac: ad5770r: fix error return in ad5770r_read_raw()
  • iio: light: vcnl4035: fix scan buffer on big-endian
  • iio: imu: bmi160: Remove potential undefined behavior in bmi160_config_pin()
  • iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only
  • iio: gyro: mpu3050: Fix incorrect free_irq() variable
  • iio: gyro: mpu3050: Fix irq resource leak
  • iio: gyro: mpu3050: Move iio_device_register() to correct location
  • iio: gyro: mpu3050: Fix out-of-sequence free_irq()
  • usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive
  • usb: ulpi: fix double free in ulpi_register_interface() error path
  • usb: usbtmc: Flush anchored URBs in usbtmc_release
  • usb: ehci-brcm: fix sleep during atomic
  • usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
  • usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
  • usb: cdns3: gadget: fix state inconsistency on gadget init failure
  • Revert "ext4: avoid infinite loops caused by residual data"
  • Revert "ext4: drop extent cache when splitting extent fails"
  • Revert "ext4: drop extent cache after doing PARTIAL_VALID1 zeroout"
  • Revert "ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1"
  • Revert "ext4: subdivide EXT4_EXT_DATA_VALID1"
  • Revert "ext4: get rid of ppath in ext4_split_extent_at()"
  • Revert "ext4: get rid of ppath in ext4_ext_insert_extent()"
  • Revert "ext4: get rid of ppath in ext4_ext_create_new_leaf()"
  • Revert "ext4: get rid of ppath in ext4_find_extent()"
  • Revert "ext4: make ext4_es_remove_extent() return void"
  • bridge: br_nd_send: validate ND option lengths
  • cdc-acm: new quirk for EPSON HMD
  • [i386] comedi: dt2815: add hardware detection to prevent crash
  • [x86] comedi: Reinit dev->spinlock between attachments to low-level drivers
  • [i386] comedi: ni_atmio16d: Fix invalid clean-up after failed attach
  • [x86] comedi: me_daq: Fix potential overrun of firmware buffer
  • [x86] comedi: me4000: Fix potential overrun of firmware buffer
  • netfilter: ipset: drop logically empty buckets in mtype_del
  • vxlan: validate ND option lengths in vxlan_na_create
  • net: ftgmac100: fix ring allocation unwind on open failure
  • [x86] thunderbolt: Fix property read in nhi_wake_supported()
  • USB: dummy-hcd: Fix locking/synchronization error
  • USB: dummy-hcd: Fix interrupt synchronization error
  • usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows partial transfer
  • btrfs: fix the qgroup data free range for inline data extents
  • btrfs: do not free data reservation in fallback from inline due to -ENOSPC (CVE-2025-71269)
  • Revert "nvme: fix admin request_queue lifetime"
  • blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue
  • nvme-pci: remove an extra queue reference
  • nvme-pci: put the admin queue in nvme_dev_remove_admin
  • nvme: fix admin request_queue lifetime (CVE-2025-68265)
  • nvme: fix admin queue leak on controller reset (CVE-2026-23360)
  • [arm64] net: enetc: fix PF !of_device_is_available() teardown path
  • usb: gadget: uvc: fix NULL pointer dereference during unbind race
  • usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
  • usb: gadget: f_rndis: Protect RNDIS options with mutex
  • usb: gadget: f_uac1_legacy: validate control request size
  • wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free
  • ext4: fix use-after-free in update_super_work when racing with umount
  • block: fix resource leak in blk_register_queue() error path
  • [x86] KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE (CVE-2026-23401)
  • net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
  • net: macb: Move devm_{free,request}_irq() out of spin lock area
  • scsi: target: tcm_loop: Drain commands in target_reset handler
  • mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
  • [x86] cpu: Enable FSGSBASE early in cpu_init_exception_handling()
  • ksmbd: fix memory leaks and NULL deref in smb2_lock()
  • ksmbd: fix potencial OOB in get_file_all_info() for compound requests
  • tracing: Fix potential deadlock in cpu hotplug with osnoise
  • hwmon: (pmbus/core) Add lock and unlock functions
  • hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes
  • ext4: factor out ext4_percpu_param_init() and ext4_percpu_param_destroy()
  • ext4: use ext4_group_desc_free() in ext4_put_super() to save some duplicated code
  • ext4: factor out ext4_flex_groups_free()
  • ext4: fix the might_sleep() warnings in kvfree()
  • ext4: publish jinode after initialization
  • MPTCP: fix lock class name family in pm_nl_create_listen_socket
  • ext4: handle wraparound when searching for blocks for indirect mapped blocks
  • cpufreq: governor: Free dbs_data directly when gov->init() fails
  • cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
  • mtd: spi-nor: core: avoid odd length/address reads on 8D-8D-8D mode
  • mtd: spi-nor: core: avoid odd length/address writes in 8D-8D-8D mode
  • erofs: handle overlapped pclusters out of crafted images properly (CVE-2024-47736)
  • erofs: fix PSI memstall accounting
  • erofs: Fix the slab-out-of-bounds in drop_buffers()
  • xfs: avoid dereferencing log items after push callbacks
  • xfs: save ailp before dropping the AIL lock in push callbacks
  • net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend()
  • net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (CVE-2025-37945)
  • net: phy: fix phy_uses_state_machine()
  • gfs2: Fix unlikely race in gdlm_put_lock (CVE-2025-40242)
  • Bluetooth: eir: Fix possible crashes on eir_create_adv_data (CVE-2025-38303)
  • block: Fix the blk_mq_destroy_queue() documentation
  • ext4: fix lost error code reporting in __ext4_fill_super()
  • ext4: fix unused iterator variable warnings
  • ACPI: EC: Evaluate orphan _REG under EC device https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.169
  • lib/crypto: chacha: Zeroize permuted_state before it leaves scope
  • wifi: rt2x00usb: fix devres lifetime
  • xfrm_user: fix info leak in build_report()
  • mptcp: fix slab-use-after-free in __inet_lookup_established
  • Input: uinput - fix circular locking dependency with ff-core
  • Input: uinput - take event lock when submitting FF request "event"
  • media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
  • media: uvcvideo: Use heuristic to find stream entity
  • usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
  • Revert "ACPI: EC: Evaluate orphan _REG under EC device"
  • ACPICA: Add a depth argument to acpi_execute_reg_methods()
  • ACPI: EC: Evaluate _REG outside the EC scope more carefully
  • usb: gadget: f_hid: move list and spinlock inits from bind to alloc
  • rfkill: Use sysfs_emit() to instead of sprintf()
  • rfkill: sync before userspace visibility/changes
  • net: rfkill: reduce data->mtx scope in rfkill_fop_open
  • net: rfkill: prevent unlimited numbers of rfkill events from being created
  • seg6: separate dst_cache for input and output paths in seg6 lwtunnel
  • Revert "mptcp: add needs_id for netlink appending addr"
  • drm/scheduler: signal scheduled fence when kill job
  • netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR
  • netfilter: nft_ct: fix use-after-free in timeout object destroy
  • xfrm: clear trailing padding in build_polexpire()
  • tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
  • wifi: brcmsmac: Fix dma_free_coherent() size
  • [arm64] dts: hisilicon: poplar: Correct PCIe reset GPIO polarity
  • [arm64] dts: hisilicon: hi3798cv200: Add missing dma-ranges
  • nfc: pn533: allocate rx skb before consuming bytes
  • batman-adv: reject oversized global TT response buffers
  • EDAC/mc: Fix error path ordering in edac_mc_alloc()
  • net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
  • batman-adv: hold claim backbone gateways by reference
  • [x86] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
  • net/mlx5: Update the list of the PCI supported devices
  • mmc: vub300: fix NULL-deref on disconnect
  • net: stmmac: fix integer underflow in chain mode
  • rxrpc: fix reference count leak in rxrpc_server_keyring()
  • rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
  • Revert "PCI: Enable ACS after configuring IOMMU for OF platforms"
  • [x86] CPU: Fix FPDSS on Zen1 (CVE-2026-31628) https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.170
  • crypto: scatterwalk - Backport memcpy_sglist()
  • crypto: algif_aead - use memcpy_sglist() instead of null skcipher
  • crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)
  • crypto: algif_aead - snapshot IV for async AEAD requests
  • crypto: authenc - use memcpy_sglist() instead of null skcipher
  • crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
  • crypto: authencesn - Fix src offset when decrypting in-place
  • crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
  • crypto: algif_aead - Fix minimum RX size check for decryption
  • Buffer overflow in drivers/xen/sys-hypervisor.c (CVE-2026-31786)
  • xen/privcmd: fix double free via VMA splitting (CVE-2026-31787) . [ Salvatore Bonaccorso ]
• Revert "RDMA/rxe: Fix double free in rxe_srq_from_init"
• RDMA/rxe: Fix double free in rxe_srq_from_init
• [amd64] x86/CPU: Only try to mitigate FPDSS on Zen1
• apparmor: validate default DFA states are in bounds Checksums-Sha1: d8cbf861a57887b53a8886d80d44d7445b6430e5 399396 linux_6.1.170-1.dsc b342384d0ca38f4be72dc5936d5d3725a68d2a54 137897868 linux_6.1.170.orig.tar.xz 1dd976e72269ae61f4feaee2f2a2bddfe253e07c 1837236 linux_6.1.170-1.debian.tar.xz e52d9c725d8eb590f89414b7cc1708820ce924c0 6985 linux_6.1.170-1_source.buildinfo Checksums-Sha256: 3586ec318f1247d81ca466fcf9c11a0ef90a22919ed6b0668a44cb8bf0f1c7d3 399396 linux_6.1.170-1.dsc d97c2b2683633677fa1f41bf5cc58cfac7664b84ca885ce6546d40fee87ba7fe 137897868 linux_6.1.170.orig.tar.xz 9587d682bfa15f20635ffb78a6cff7b7e66b14981dc1323911bb894759ab8d3b 1837236 linux_6.1.170-1.debian.tar.xz 97963c42d28d365b71c70a68bd6b700a96cbf3dd5f5d6a60b5daa52334a0e7e1 6985 linux_6.1.170-1_source.buildinfo Files: 7c64f506e99fcac3d50217b291049e75 399396 kernel optional linux_6.1.170-1.dsc 73227aef0315c3465025182287832395 137897868 kernel optional linux_6.1.170.orig.tar.xz 8f40bbcefa8caa78601d51c82b6c4e34 1837236 kernel optional linux_6.1.170-1.debian.tar.xz 43011606542047e6116131fb0df3e75c 6985 kernel optional linux_6.1.170-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmnzqnBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E9pgQAIQjUvIkImj5E/qZDW0C+icryIMLkSvl EC837N1tIdRA2b/kn8nAmR5Rj0x2sHQvdGSaLfB+VgusD+Xv7CdN9hHcI7eOWgEC bkMkeWA9DVyUylA8UpMRWgkbgNooOhSCkuRDDiCjLwfzjEcQ55PNjlX+XWQ+dMCr N/XUFfBGwjHikFnPvR2f9pUbXK6imGKMHpeNrnGqudG9ZgjZUYTccFLjVu/LQZ6v hXNho//WBn+qj1gedNBF0/I0OWXZfTpawNJojy3xetUKwBlUGN9Ay3r9n/bOoHFG rpgwLURlyrkTFkNylq/ZYGgTfLiH1AVEi114gEiZyGRJ+m5mBdYkm+k1WmOTsH0I VDKQn82rf+eKd6O9e1rUiDSwEtUcbSNUI2rNVQit/v8cbRFyMMUrD9Pd5ySMkx/j kS4pSa6foFVgRimYUum4I3Dm+tgufo/RHTxO/4utnP5V1/UdGVxUBxuMnAmEPJ8Y Ir+vkQdbwSvt1W4SU3nT7yj7HfC4RGtkcVA+gmpmif4Lu0ld1qkCssKodx++9ISZ WhvThjTUQjoILgrkyctxJrjK26FfOMn2Y+QaiJYZNwbEJNTfWphYREq6Qzkpnxjj hDFp+uurnXFcSSGY9sQo6601wHe5ptRQI5grcZ/bWRa2dd7AQ9jMIcs5GylKm1jK lvOOLOonDAo6 =r9Jd -----END PGP SIGNATURE-----